We are going to end up with something sooner or later.
The fact is that we want (and can) enter into contracts on the Internet. In order to enforce contracts we must have identities. Since the Government (specifically the judiciary) enforces contracts, this means that we must be entering into these contracts under Government-managed identities.
Currently we acquire and prove this Government-managed identity using an ad-hoc, decentralised, system with much duplication. I can use a passport or my driver's license or my birth certificate or perhaps some utility bills or some combination. This causes various problems, including fraud and waste.
If two parties mutually choose to enter into a contract over the Internet, and this contract is to be enforced by the judiciary, then it would be ideal for them to be able to verify each others' legal entities and authorisation. I think that properly implemented this could eliminate a large amount of online fraud.
Nothing about the principle of such a system inherently creates privacy problems, since when parties enter into a contract they already expect to reveal their identities to each other, and nothing would necessarily be forcing people to reveal their identities in any other situation, just the same as is the case at the moment.T here is a risk of a slippery slope of course; I can't deny that.
There's no reason such a system has to be centralised, though. X.509 certificates would work fine, for example, issued at the same time as a birth certificate, with each local office as a CA.
Unfortunately, the problem is with implementation. I don't think that any government is competent enough to put a system together that does meet privacy requirements, and there are too many self-interested parties who would influence and corrupt the design of such a system.
Sorry the Engadget piece is full of FUD and light on details. I was at the event and covered it for Wired.com.
This initiative is coming out of NIST inside the Commerce department, with smart folks there who know this 1) a tough problem, 2) needs to be an open standard and 3) that the feds role here is best as being the ones who convene the people in the room.
There's got to be a better way to prove you are real and legit, than giving some company the right to pull a sub-one dollar sum of money from your bank account and then confirming that to them online.
OpenID is fine, so far as it has gone, but right now it looks like Facebook is winning the war for identity and authentication. Having the feds behind an open standard hardly means you are getting the Real ID of the internet.
You've got a few choices of who's going to do this in the future. The feds, your bank, Facebook, PayPal or your mobile phone carrier. Personally, I'd prefer an open system where I have my choice of 10 providers all using open standards, than having to rely on multiple closed systems like giant bank or Facebook or Paypal.
>"There's got to be a better way to prove you are real and legit, than giving some company the right to pull a sub-one dollar sum of money from your bank account and then confirming that to them online"
I've never had any problem with this method, what are your objective quantifications for why a 'internet id' from the Commerce Department would solve this better? Why does taxpayer money need to be spent on a problem that is already solved to a sufficient degree by commercial forces?
There's literally nothing in the proposal about an internet ID from the Commerce Department. While I'm not thoroughly convinced we need better identification on the net, the proposal here is about creating standards for stronger identification -- something like OpenID with the weight of the federal government trying to get industry, privacy and security groups in the same room. The alternative, it seems to me, is to watch Facebook corner the market on consumer identity, while defense contractors or the banking industry wins government contracts, and the latter eventually create some very badly designed system for citizens to log in to government agency websites.
While I'm also deeply opposed to any government-run program, that's not what's happening here.
I'm also a bit disappointed here with Hacker News. Folks here could easily imagine an internet that is easier and safer with a better way for users to manage their identities, while retaining both privacy and the possibility of pseudonimity and anonymity. Instead, mostly what's shown up in the border here is a Reddit thread with people saying, "You can take my anonymous internet but you'll have to pry the keyboard out of my cold dead hands." HN is usually much better than this.
"I'm also a bit disappointed here with Hacker News. Folks here could easily imagine an internet that is easier and safer with a better way for users to manage their identities"
I'm disappointed with you. Why do your values for a "safer and better" internet have to be imposed on me? Where is your objective data showing this will be a "safer and better" internet? Is internet use in Australia "safer and better" because they choose to govern and censor it? To me this sounds like the marketing-speak of the war on drugs and terror.
Furthermore, why do I need a federal program to do this? There are already identity management solutions and standards widely available, namely Shibboleth http://shibboleth.internet2.edu/, which is deployed across California State Universities and universities across the U.S. There is no reason it could not be leveraged for federated identity.
>"While I'm also deeply opposed to any government-run program, that's not what's happening here."
Pardon? Just because it is a private-public partnership does not exclude the government from ownership, but don't trust me, go read the source yourself: http://www.dhs.gov/xlibrary/assets/ns_tic.pdf That is the draft from when it was proposed for DHS. You can see in the document itself the references to "accountability" of these private partners to the government in their "Identity Ecosystem".
I'm saying that the principle is a good idea, makes sense and that's why it'll happen eventually. The problem is the implementation. I'm happy to fight bad ideas. Here in the UK we managed to fight off the first bad implementation they tried to push on us.
The current system is full of waste and inefficiency, and the possibility of fraud.
As such people using it take great care and don't trust it.
This is actually a hidden benefit of the system.
If you introduce an ID that everyone 'trusts' implicitly (esp. relating to online commerce) then the scope for fraud widens greatly. You can assume the system will get corrupted because of the great benefits accruing to those who can breach it.
The vast majority of contracts entered don't need much; if it does go wrong, usually little damage is done. As the risk profile increases, then so does the amount of verification, purchasing a business requires reams of documentation, an iPhone cover shipped out of hong kong can stay anonymous.
As IT people, we all naturally love a world that fits into a relational model, one where all people have a unique ID. As citizens, however, we have to resist this because of the lopsided risk/reward profile for individuals. In cases if centralised ID, you gain a little but lose a lot.
> In order to enforce contracts we must have identities.
In theory - no, we don't, except for ephemeral one-time identities which are actually anonymous.
In real world - yes, (un)?fortunately we must. Still, there's no reason to require that anyone must have one and only one identity, and this identity must be state-issued.
The fact is that we want (and can) enter into contracts on the Internet. In order to enforce contracts we must have identities. Since the Government (specifically the judiciary) enforces contracts, this means that we must be entering into these contracts under Government-managed identities.
Currently we acquire and prove this Government-managed identity using an ad-hoc, decentralised, system with much duplication. I can use a passport or my driver's license or my birth certificate or perhaps some utility bills or some combination. This causes various problems, including fraud and waste.
If two parties mutually choose to enter into a contract over the Internet, and this contract is to be enforced by the judiciary, then it would be ideal for them to be able to verify each others' legal entities and authorisation. I think that properly implemented this could eliminate a large amount of online fraud.
Nothing about the principle of such a system inherently creates privacy problems, since when parties enter into a contract they already expect to reveal their identities to each other, and nothing would necessarily be forcing people to reveal their identities in any other situation, just the same as is the case at the moment.T here is a risk of a slippery slope of course; I can't deny that.
There's no reason such a system has to be centralised, though. X.509 certificates would work fine, for example, issued at the same time as a birth certificate, with each local office as a CA.
Unfortunately, the problem is with implementation. I don't think that any government is competent enough to put a system together that does meet privacy requirements, and there are too many self-interested parties who would influence and corrupt the design of such a system.